Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20141017093252.GA4040@balvenie>
Date: Fri, 17 Oct 2014 11:32:53 +0200
From: Yves-Alexis Perez <corsac@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: attacking hsts through ntp

On Fri, Oct 17, 2014 at 09:53:29AM +0200, Hanno Böck wrote:
> Am Thu, 16 Oct 2014 18:45:18 -0600
> schrieb Kurt Seifried <kseifried@...hat.com>:
> 
> > You can't trust remote servers you're getting the content from... what
> > if I send wonky times to try and screw with your browser? Or header
> > injection attacks? No thanks.
> 
> It's not entirely a bad idea. You could say "if http header time and
> system time differ severely (> 1 week or something) then don't connect
> to hsts sites".

Sounds a bit like kerberos
-- 
Yves-Alexis

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.